[ https://issues.oasis-open.org/browse/COEL-54?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61773#comment-61773 ]
David Snelling commented on COEL-54:
------------------------------------
Joss wrote:
Working with potential customers for the COEL standard, I have noticed that main concern for the larger customers in this space is currently managing consent – proving to themselves that they have the consent for any action, acting on the consent wishes of their customers and the ability to demonstrate this to the regulator.
The atom structure has the potential for us to record the consent associated with any piece of data within the data. In addition, we can use an atom to record consent activities (providing, changing, revoking, agreeing to data sharing, etc.). A proposed solution for issue COEL-54 is to add an optional field to the BAP for consent recording and raise an issue to include consent actions into the COEL model.
There is an existing stream of work in this area called the Minimum Viable Consent Receipt (MVCR) which has many of the attributes that we would need:
https://kantarainitiative.org/groups/ciswg/https://github.com/KantaraInitiative/CISWG/blob/master/MVCR-Spec/mvcr-v.08/MVCR%20v0.7.1.mdhttp://mvcr.herokuapp.com/
I have spoken with one of the chairs, Mark Lizar, and he is keen to explore how we might work together. This open standard work is based in JSON on very similar IPR terms to ours.
The MVCR programme has a wider scope that we initially need but provides the basic information needed to record consent (which I have summarised below). The programme extends to a registry of privacy policies and a consent receipt management system. I believe we could choose at which level we wanted to integrate – the BAP and COEL model additions would be a simple and productive first step.
Consent fields:
Jurisdiction New BAP field (country look-up)
Timestamp New BAP field (date when consent was given)
Method of collection New BAP field (look-up)
Consent provider Possible new BAP field (this provides the link to the consent record management)
Unique ID Possible new BAP field (unique ID for consent record management)
PII principle Not needed (ConsumerID)
Data controller Not needed (ServiceProviderID)
Privacy Policy URL New BAP field (could be IDA, or other, inc policy notice)
Purposes New BAP field (look-up http://tinyurl.com/zchqhut)
Sensitive Personal Information Not needed (all COEL might be sensitive)
3rd Party Sharing of Personal Info Possible New BAP field (might help with data sharing between Service Providers)
Link to short privacy notice Not sure we need this (see above)
Oauth Scope Not sure we need this
(Retention period) New BAP field (this is not in the MVCR spec but I think it is useful)
> Machine-readable consent terms
> ------------------------------
>
> Key: COEL-54
> URL: https://issues.oasis-open.org/browse/COEL-54
> Project: OASIS Classification of Everyday Living (COEL) TC
> Issue Type: New Feature
> Reporter: Joss Langford
> Assignee: Joss Langford
>
> COEL does not currently support machine readable consent terms and this could be added to every atom
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)